Hacker News new | past | comments | ask | show | jobs | submit login

> I've often wondered: why is trust in CAs an all-or-nothing proposition (aside from EV certs), and why should my particular browser vendor have all the authority over who I should trust?

It doesn't. You can adjust your root certs in Firefox by going to about:preferences#advanced and clicking on certificates.

But what does partial trust look like? Showing half of the HTML? An eyebrow raised emoji instead of a lock?




I wish CA management was easier to bulk-edit. Show me a table of root CAs with their data, their country of origin, etc., and allow me to filter and enable/disable all based on filters.

Full disable would shut down trust entirely, and get the warnings similar to a self-issued cert.

Reduced trust would have a "not Secure" label or something, like a plain http connection.


"Country of origin" is a really interesting one for precisely the Symantec scenario.

Symantec is a US company right? But the main _problem_ happened at a company called CrossCert, full name Korea Electronic Certification Authority. They're Korean.

So if you decided you don't trust Koreans, Symantec's root looks fine, nothing Korean about that. Except, somewhere Symantec signed a contract with CrossCert saying "OK, we'll issue any certificate you want, so long as you pay us and promise to do all these things". Oh, and then they didn't actually check CrossCert did any of the other things (I think we can assume they checked they got paid...). You don't get to see that contract. It wasn't even prohibited by the rules Symantec had agreed to. If Symantec hadn't been caught issuing bogus certificates as a result you wouldn't even be reading about it.


Many CAs are cross-signed, what should the software do in that case?


For example:

Full trust: green lock icon

Medium trust: yellow lock icon with list of reasons when clicked

Low trust: prompt when attempting to load

No trust: completely blocked, or more difficult to override (like Chrome does now)


I could go for an eyebrow-raised emoji in some cases. Self-signed certs for instance, or any root cert that the browser picks up from the OS.


Is there an eavesdropper emoji?


U+1F575 SLEUTH OR SPY

Useless. On my computer it looks like Firefox is using a font that has a sleuth with a magnifying glass and a hat, while Emacs uses a font that has a silhouette of a guy wearing a trenchcoat.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: